3

What command can be used in Linux to display the version of ssh-keygen? Its man page doesn't tell the version, oddly, nor does it mention any option to do it (e.g. -v or --version). Of no use is apt-cache either, as it shows the version of the whole containing package (ssh).

Improve this question
2
  • Try -V for version (upper case).
    – harrymc
    Commented Feb 6, 2023 at 10:09
  • Nope. option requires an argument -- V
    – ByteEater
    Commented Feb 6, 2023 at 11:50

1 Answer 1

Reset to default
4

ssh-keygen does not have its own version separate from the whole containing package (which corresponds to the version of the OpenSSH release that was packaged).

So if dpkg -l openssh\* says it's "8.4", then /usr/bin/ssh-keygen is also version 8.4.

Only some OpenSSH tools have an option to display the version, in particular ssh does, so if you run ssh -V (or /usr/bin/ssh -V just to be sure) and it says 8.4p1, then all other ssh-* tools included in the same package also have version 8.4p1.

The GitLab article says "SSH version 6.5 or later" – I'm pretty sure it means OpenSSH 6.5 or later, as there is no SSH protocol version 6.5 (protocol SSHv2 is still current).

OpenSSH 6.5 did not use MD5, but rather had the ability to use it (much like older TLS clients had the ability to speak SSLv3) – as far as I understand, only if connecting to an outdated server which required RSA-MD5, not all the time. Also, this only affected server-client communication but not key generation (SSH keys don't have long-term signatures in them at all).

Improve this answer
4
  • It says 1:8.9p1-3ubuntu0.1. What do then the versions mentioned here refer to? I saw the initial 1 and assumed it was some unrelated version number and that indeed ssh-keygen was versioned separately. But maybe it's the 8.9 after the 1:?
    – ByteEater
    Commented Feb 6, 2023 at 11:55
  • 1
    8.9p1 is the actual upstream version; 1: is what Debian calls an "epoch", I believe (had to be used to force apt to treat a downgrade as an upgrade, a long time ago). -3ubuntu0.1 are various Debian-level adjustments (i.e. repackaging of the same 8.9p1) as well as Ubuntu-level adjustments on top of that.
    – grawity_u1686
    Commented Feb 6, 2023 at 11:59
  • When the GitLab page says "SSH version 6.5 or later. Earlier versions used an MD5 signature, which is not secure", they're most likely referring to OpenSSH version 6.5 (older OpenSSH versions used to display MD5 fingerprints – but they never made MD5-based signatures, so I don't know why the page is saying "signatures"). This only affects the ECDSA key fingerprint is ... message and doesn't directly influence the quality of generated keys.
    – grawity_u1686
    Commented Feb 6, 2023 at 12:02
  • I looked into this a bit more and apparently yes, there used to be rsa+md5 usage in SSH which was removed in OpenSSH 6.5 – but that's not key generation; it's in the communication between client and server, so it is not so much "used" as "had the ability to use, when connecting to a similarly outdated server".
    – grawity_u1686
    Commented Feb 6, 2023 at 12:12

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .